Security Research Center Policy

In today’s world we have become more and more connected to Internet services, software, and hardware devices.

We share our information with our banks, medical institutions, and employers. We share our information with smartphones, smart TVs, smart watches, and other “smart things” in our homes, which usually retain our information in the remote databases outside our control.
These technologies are deeply integrated into our lives and, in many cases, we have become dependent on them, making us vulnerable when the technology fails or our information is not properly protected.

Our research

We conduct security research to locate any data exposures in the databases of various companies, organisations, and institutions.

Typically we use the Shodan search engine to locate unprotected Internet-connected devices. This search engine is publicly accessible, and allows researchers to identify devices and databases that are connected to the open Internet without any password protection or other technological barriers to safeguard the data stored in them. We do not crack passwords or authentication processes or use any other hacking tricks.

Once we discover a publicly exposed database, we report our findings according to the following guidelines:

When appropriate, we provide details of the data exposure to the company, organisation, or institution that failed to protect itself.

We do not modify the data we found.

We allow entities time to remedy the data exposure prior to making any details available publicly that would otherwise cause further risk.

We do not transfer any data to any third parties.

Why do we do this?

Here, in the Security Research Center, we do our best to:

Help businesses build better security by identifying data leaks, and

Raise public awareness to the dangers related to data breaches and security risks in the connected world.

Hard Money Lender Leaked Thousands of Customers Personal Data

While online lenders are becoming a hot target for cyber criminals some of them leave sensitive data lying around unprotected and publicly exposed.

This kind of data has been recently discovered by MacKeeper researchers during the regular security scan. No username or password was required to access it as if it was a public database.

Another misconfigured MongoDB instance was part of the lending company, Anchor Loans, a big player in the lending sector for real estate investments that has originated more than 13 000 loans totaling over $3.7 billion. The company operates as a mortgage pool, investing directly in trust deeds and earning income from the interest paid by borrowers.

Moreover, there were records of transaction details and communication logs with investors.

Plus logins and passwords required for clients to authorize on Anchor Loans web resources and indirect links to the scanned copies of contracts.

Once our experts have come across this information, we’ve contacted company representative to report about the data breach and help get it secured. Anchor Loan was quick in getting back to us and currently internal investigation in under way. Database had been taken offline since then.

According to Anchor Loan: "Based on what we now know, however, we believe that much of the information was related to real estate data and real estate transactions, some of which is publicly available, and the great majority of which is not sensitive personal identifying information of our contacts. At this time, we have identified approximately 20,000 individuals whose data could have been exposed, had any of this data been illegally copied or accessed by any other third party. Again, we are continuing our investigation, and we will continue to refine these numbers".

Any industry that works with sensitive information such as banking and finance must take every possible step to secure their customer’s data. State and Federal requires that not only is this information kept secure and private, but also that borrowers’ be notified of any breach. Some states even go as far as to require credit monitoring and repair for up to 3 years.

As company indicates on the website: “Rates and terms are dependent on your application. The more information you provide, the more options we can provide you with”. Applicants are encouraged to leave more personal details and thus become an attractive target for attackers.

According to Anchor Loans, "as soon as we have sufficient information to do so, we will take all necessary steps to ensure that the individuals who may have been impacted are appropriately informed, and to provide information and resources to any of our contacts who have questions about the security of their data or our response to this incident".

Needles to say that if such data falls into malicious hands both company’s current clients and potential borrowers are at risk to have accounts misused by scammers. One of such cases was halted by Federal Trade Commission in Missouri. According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, two scammers bought consumers’ personal information, made unauthorized payday loans, and then helped themselves to consumers’ bank accounts without their authorization.